We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

FTC provides guidance on building security in the “Internet of Things”

In today’s digital age, the omnipresence of the internet and internet-connected devices has led to the coining of “The Internet of Things.” From cellphones and computers, to refrigerators and televisions, to vacuum cleaners and dishwashers, everyday aspects of consumers’ lives are increasingly connected to the internet. While these capabilities are largely aimed at improving the lives of consumers, they come with burdens. As we are all aware, hackers and data breaches are an ongoing challenge. Whether it is invasion of a consumer’s privacy via an internet connected baby monitor, or whether a homeowner is spied upon via their own home security camera, there are numerous instances where internet-connected devices have been turned against consumers. While driven by varied motivations, such problems underscore the need for privacy and security in “The Internet of Things.”

The FTC recently published guidance offering a series of steps for companies to consider in the design and marketing of products connected to the “Internet of Things.” These steps include the following:

Start with the fundamentals. Encourage a culture of security at your company and avoid using default passwords.

Take advantage of what experts have already learned about security. Use industry best practices such as encryption techniques and rate limiting (a system for controlling the traffic sent or received by a network).

Design your product with authentication in mind. Consider adopting two‑factor authentication. For example, requiring the use of a password and a secure token.

Protect the interfaces between your product and other devices or services. One approach is “fuzzing” – a testing method that sends a device or system unexpected input data to detect possible defects.

Consider how to limit permissions. Generally, limit access to information you actually need.

Take advantage of readily available security tools. Such tools can include network scanners, password strength checkers, and vulnerability scanners.

Test the security measures before launching your product. Test the product in scenarios that replicate how consumers will use the product in the real world.

Select the secure choice as your default setting.

Use your initial communications with customers to educate them about the safest use of your product. For example, consider using an initial registration email to explain how customers can use the product securely and most effectively.

Establish an effective approach for updating your security procedures. Consider regular security evaluations and how you will provide updates.

Keep your ear to the ground. For example, check free databases of vulnerabilities identified by vendors and security researchers regularly such as the National Vulnerability Database.

Innovate how you communicate. For example, consider using icons, lights, or other methods to signal when an update is available or when the device is connected to the Internet.

Let prospective customers know what you’re doing to secure consumer information. View a focus on security as a competitive advantage.

While the FTC’s guidance is merely that, readers should take notice of the FTC’s increased interest in data security and privacy. The FTC has been actively involved of enforcement of regulations regarding consumer privacy. In 2014, the FTC brought over 130 spam and spyware cases and more than 40 general privacy lawsuits, over 50 cases against companies that have engaged in unfair or deceptive practices that put consumers’ personal data at unreasonable risk, almost 30 cases for violation of the Gramm-Leach-Bliley (“GLB”) Act, 24 Safe Harbor cases, over 20 Children’s Online Privacy Protection Act of 1998 (“COPPA”) cases and collected millions of dollars in civil penalties, and 103 cases violating “Do Not Call” laws that have concluded thus far have resulted in orders totaling more than $130 million in civil penalties and $1 billion in redress or disgorgement.

More recently, the FTC recently announced the creation of the Office of Technology Research and Investigation which has a broad mandate of “tackling . . . investigative research on technology issues involving all facets of the FTC’s consumer protection mission, including privacy, data security, connected cars, smart homes, algorithmic transparency, emerging payment methods, big data, and the Internet of Things.”

Without a doubt, data privacy and security is at the forefront of the FTC’s attention.

Compare jurisdictions: BYOD: Bring Your Own Device

" I am very pleased with the content of the Lexology newsfeeds. They are a centralized way of getting legal related updates from many jurisdictions and a great way to stay informed with a minimal time commitment."